Even worse, when on top of all these they add an arbitrary length requirement: I...

tracker1 · 2024-03-08T09:41:55.000000Z

That one irks me too... When I built an auth/rbac app previously I did make Max length configurable and it would display a night if set. I set a hidden hard limit to 1k only to reduce attack surfaces that would only display and error if exceeded.

Default was a min-length of 15 as the only requirement with the default hint of "try using a short sentence"

I also had optional use of zxcvbn and haveibeenpwned checks during new passphrase creation.

I really wanted to open source the application but couldn't get approval to do so.

It was a pretty nice little simple auth application that issued RSA signed JWT to configured applications. It was interested into a few internal apps as well as for clients that didn't have something like azure ad, okta, etc. where we wrote bridge apps for auth.

If I had my configuration doc, I'd probably recreate it exactly, but with a Rust backend with HTMX instead of C#+react.

The date store used SQLite as a KV store, with simple methods for access that allowed an exception later for the values. Also wrote support for PostgreSQL and MS-SQL so they could be used where available.

Spent a lot of time on same defaults, hashing and encryption along with required configuration options for a few clients.

Aside: more devs really need to better understand public/private key generation and usage... Like not using the same keys for different environments.

anshorei · 2024-03-08T10:13:10.000000Z

Even worse, when the password has an arbitrary length requirement of 20, but the site doesn't tell you and just cuts of any trailing characters exceeding the requirement during account creation.

You have no idea how long it took me to figure that one out.

thedanbob · 2024-03-08T11:57:41.000000Z

Slightly easier to figure out but no less annoying is when the maxLength attributes on the password fields for the two forms (create account and login) are different.

tomsmeding · 2024-03-08T10:58:59.000000Z

That sounds suspiciously like a VARCHAR(20) somewhere...

rmetzler · 2024-03-08T09:49:50.000000Z

Don’t worry, all of this is necessary because the passwords are stored in plain text in the database.

cdr · 2024-03-08T10:02:14.000000Z

Even worse, some will simply arbitrarily silently truncate the password. But not everywhere! The sign up page might silently truncate and then the actual login page might not.

piyush_soni · 2024-03-08T10:13:20.000000Z

Wow. That would be a wonderful game of treasure hunt. Fortunately I've not come across that so far :D

_0ffh · 2024-03-08T11:41:01.000000Z

What happened to me once is that a long-time password of mine got truncated as the website lowered it's maximum password length, and the login page didn't truncate, so my full correct password suddenly stopped working. The pain.

erhaetherth · 2024-03-09T21:43:47.000000Z

Pretty sure Microsoft did this at some point. Maybe for Hotmail.

0x0203 · 2024-03-08T12:46:40.000000Z

This all reminds me of the password game: https://neal.fun/password-game/ I'd call it amusing if it weren't so often real.

For a more entertaining take, I really enjoy this use of it against scammers and thieves: https://www.youtube.com/watch?v=knhQ2f8anT8

lapcat · 2024-03-08T11:59:31.000000Z

Several comments mention passwords getting silently truncated by input maxlength. FWIW my extension provides a visible warning when this occurs: https://underpassapp.com/StopTheMadness/

encom · 2024-03-08T15:05:20.000000Z

Proprietary, mac only, app store-ware. More madness.

lapcat · 2024-03-08T15:40:16.000000Z

> mac only

Also iOS.

a_vanderbilt · 2024-03-08T14:37:08.000000Z

I love this extension so much. Nothing satisfies me more than forcing stupid websites into cooperation.

oneeyedpigeon · 2024-03-08T09:17:15.000000Z

"look, just tell me what you want my password to goddam be, and I'll go with that!"

dwighttk · 2024-03-08T12:16:11.000000Z

“Sure but you can’t copy it out”